Thursday, May 21, 2009

Client side Http Parameter Pollution - Yahoo! Classic Mail Video Poc

As a follow up of HTTP Parameter Pollution presentation,I think it's time to give some details of the Yahoo! Classic Mail exploitation.That's the long version of the video we showed @ OWASP Appsec Poland 2009:Youtube LD Video or Wisec HD Video

Moreover, in order to better clarify the details of client side HPP explitation, here's an excerpt of my mail to Yahoo! security team:"...How client side HPP works?It's pretty easy, find a name value pair of HTTP parameters and append %26aaaa=aaaaa to it. Example:

http://yahoo.com?par=val%26aaaa=aaa

Have a look at Html source looking for translation of %26 in & or & in anchors or other attributes using the url, such as:

<a href="http://yahoo.com?par=val&aaaa=aaa"> View </a>

The semantic of such link changes from the function described to something else.In fact, if instead of %26aaaa=aaa the injected parameter is:

%26action=delete

It becomes:

<a href="http://yahoo.com?par=val&action=delete"> View </a>

so even if the user sees View, the action will be delete.Obviously it strongly depends on the functionalities and the structure of the Web app...

Yahoo! Classic Mail Issue

I found that client side HPP is possible on some parameter in the first page of Inbox.For instance:

User/victim clicks in order to see the other messages and gets every message deleted.

Flow #2:

User/victim visits a malicious page

Attacker, after checking if the user is logged in on Yahoo!, redirects the victim on the malicious url.

User/victim clicks in order to see the other messages and gets every message deleted.

...

Cheers,Stefano..."

Just to be clear, this vulnerability is currently patched and it affected the Yahoo! Mail classic version only.However, it is likely to force a user to change the GUI from the brand-new mail interface to the old one.

About Minded Security

Minded Security
is the Software Security Company that supports you to build, deliver and use more secure software. Minded Security helps businesses and organizations to build secure products and services.